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UnuxUser 


"Let there be light!" It's hard not 
t0 9°dlil<e when issuing 
-- < such a command and while this 

issue of Raspi can't offer you 
omniscience or infinite wisdom, it will show 
you how to control your household lighting via 
your voice, divine or otherwise. Swipe along to 
our main feature and learn how to combine 
your Pi with an Amazon Echo to control the 
Pimoroni home lighting kit. Mote. We'll show 
you how to create an unpublished skill that 
will provide some miraculous utterances 
for changing the colour of your lighting and 
turning it on and off. Hallelujah. 

Also in this issue you can build a doomsday 
switch to nuke your precious data in case of 
a breach and combine Python and Pi to keep 
an eye an your servers. Swipe on! 


Get inspired 

Discover the RasPi 
community's best projects 


Expert advice 

Got a question? Get in touch 
and well give you a hand 


Easy-to-follow 

guides 

Learn to make and code 
gadgets with Raspberry Pi 
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Control lighting with the Pi 
and Amazon Echo 


Control Pimoroni’s home lighting kit for the 
Raspberry Pi through the Alexa Skills kit 


In 2016, Amazon brought the Echo (£150) and 
%•# Echo Dot (£50) devices to the UK market, 

^ providing a voice assistant for your home. 

The Alexa service provides lots of built-in features such 
as radio and music streaming, creating and editing 

your shopping lists, weather updates and many 

other custom skills provided by third parties. Skill builders 
such as Uber and Capital One publish their skills for the 
general public, which means they go through a vetting 
process similar to that of the Apple App Store. For this 
tutorial, we will be creating an unpublished skill for our own 
Echo or Echo Dot to control the Pimoroni home lighting kit 
called Mote. 

Our skill will provide utterances for changing the colour of 
our LEDs like "Alexa, ask Mote change to blue" and will let 
us turn them off by saying "Alexa, tell mote turn off." 


ifcVTHE PROJECT 
% f # ESSENTIALS 

Github repository: 
https://github.com/ 
alexellis/motephat- 
alexa 

Pimoroni mote-phat 
and accessories 
(pimoroni.com) 

Soldering iron, flux 
and solder 


A1 Prepare your hardware 

I Prepare your mote-phat add-on board by attaching 
and soldering its 40-pin female header, included in the 
packaging. If you're using a Pi Zero you will also need to 
solder a 40-pin male header before continuing. 


I 







Art Set up the base system 

\J^m Flash a new SD card with Raspbian Jessie Lite, 
making sure to create a file in the boot partition called 'ssh'; 
this will let us connect over SSH remotely and copy/paste 
commands without needing Ul packages or a screen. 
Once plugged in, your Pi will be accessible via ssh pi@ 
raspberrypi.local. 

Art Responding to Alexa - Lambda or 
I/O HTTPS 

Alexa can either invoke code over an HTTPS endpoint 
(web-service) or via a Lambda function, which is a piece 
of code uploaded to Amazon's AWS service and invoked 
on demand. For our tutorial, well set up our own HTTPS 































endpoint from our Pi to the public internet with the ngrok 
tool. Download and unzip ngrok for Linux ARM into /usr/bin 
from https://ngrok.com/download 


f\A Install Docker 

W*T Docker is a packaging and runtime system that 
allows us to build, ship and run software easily. Run these 
two commands then reconnect over SSH. 


\ \ \ 

# curl -sSL get.docker.com | sh 

# sudo usermod pi -aG docker 

\ \ \ 


Now clone the Github repository and build the Docker 
image (this will take some time): 


\ \ V 


Branch: master ▼ motephat-alexa / Dockerfile 

3^ alexellis Merge removal of entrypoint 
1 contributor 

21 lines (17 sloe) 495 Bytes 

1 FROM resin/rpi-raspbian 

2 MAINTAINER alexellis2@gmail.com 

3 

4 RUN apt-get update \ 

&& apt-get install git python-dev python-pip gcc \ 

&& git clone https://github.com/pimoroni/mote-phat \ 
&& pip install flask \ 

&& cd mote-phat/library && python setup.py install \ 
&& apt-get -qy remove python-dev gcc \ 

&& rm -rf /var/lib/apt/lists/* 

11 

12 WORKDIR /root/ 

13 RUN mkdir /root/alexa/ 

14 WORKDIR /root/alexa/ 

15 COPY mote.py . 

16 COPY app.py . 

17 EXPOSE 5000 

18 ENTRYPOINT [] 

19 CMD ["python", "./app.py"] 

20 


Below The 

resulting Docker 
image contains 
everything needed 
for our application 
in an isolated 
package. 


Find file Copy path 

b32l4b2 13 days ago 


Blame History D ffl 





# apt-get update && apt-get -qy install git 

jq 

# git clone https://github.com/alexellis/ 
motephat-alexa 

# docker build -t alexamote . 

\ \ \ 


The resulting Docker image contains everything needed for 
our application in an isolated package. 

AC Start the code with Docker 

Our project's code is packaged with all its 

dependencies into a single container. We can now run that 

in the background and open the ngrok HTTPS tunnel to the 

internet. The flag -p tells Docker to expose the port for our 

web server code that talks to Alexa. The -d flag tells the 

service to run in the background. 

\ \ \ 

# docker run —name mote —privileged -d -p 
5000:5000 alexamote 

# ngrok http 5000 > /dev/null & 

# curl localhost:4040/api/tunnels | jq -r 


pi@mote: ~/dev/motephat-alexa — ssh u2 


bi@mote: 


[te 


docker run —name mote —privileged -d -p 5000:5000 alexamolj 


!3cl325c7b0d39b0d537c37801ff74618ffa835644abdlb0f48df081e5bebc82c 


piQmote: 


i[l] 2428 


ngrok http 5000 > /dev/null & 


bi@mote:~ / dev 
!_url " 


curl localhost:4040/api/tunnels | jq -r ".tunnels[1].public]! 


! % Total 


% Received % Xferd Average Speed Time 

Dload Upload Total 


Time 

Spent 


•100 755 100 755 


0 


0 17730 


0 — 


Time Current 
Left Speed 
—18414 


i>i@mote : ~/dev/motej 


curl -X POST -H "Content-type: application/json" -d ^colour! 
isample.j son https://9438ela8.ng rok.io 

!{"version": "1.0", "response": {"outputSpeech": {"text": "OK, changing to red", "type": "P] 
[lainText"}, "shouldEndSession": true, "card": {"content": "OK, changing to red", "type": " 


[Simple", "title": "Colour change"}}, "sessionAttributes": {}}pi@mote: j 


[ 


bi@mote : ~/dev/motephat-alexa $ 


bi@mote : ~/dev/motephat-alexc 


Natural 

Language 

Parsing 

(NLP) 

The Alexa service 
sends recordings 
from your device 
to the Amazon 
cloud where NLP 
(Natural Language 
Parsing) breaks 
the words down 
into intents and 
slots. A sample 
phrase such as 
"Alexa, what is the 
weather for London 
tomorrow?" 
would be parsed 
as an intent of 
"FindWeather" 
with two slots of: 
Date=tomorrow 
and 

Location=London, 
UK. Sample 
utterances help 
cover the many 
different ways 
we can say the 
same thing in a 
language. 






“.tunnels[l].public_url “ 
\ \ \ 


Take note of your 'publicjjrl' beginning with https. This 
changes every time the ngrok process starts. 

If you want to stop the mote-phat process later on you can 
type in docker rm -f mote or docker ps to view its status. 


A/ Test the endpoint 

Once you have your HTTPS URL from ngrok, then 
you can test everything out by sending in a request just 
like the one the Alexa SDK creates. We have captured two 
samples and saved them in the Git repository. 

Test going red: 


\ \ \ 

# curl -X POST -H “Content-type: application/ 

json” -d Ocoloursample.json https://c00738f6. 

ngrok. io 
\ \ \ 


Test turning the lights off: 


\ \ V 

# curl -X POST -H “Content-type: application/ 

json” -d Ocoloursample.json https://c00738f6. 

ngrok. io 
\ \ \ 


^^Create an Alexa skill 

\#r Head over to https://developer.amazon.com/ 
myapps.html and click Alexa>Alexa Skills Kit>Get Started. 
You may need to register for this step and provide billing 
information for any purchases you want to make. 
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Add Now Language 


Skill Information 
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Interaction MocW 
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Configuration 
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Privacy & Compliance 


Intent Schema 

The schema uf user in'eras in jsl'N re-mat f-'or more information, st-c Intent Schema. 
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Custom Sint Types 

Custom slot types to be referenced by the Intent Sctiomo and Sample Utterance 
For general infoomotioii about custom slots, set Custom 5iot Types. 

Example.: TOPIPINGS - cheese | onions | ham (note, newlines displayed as | tor Li levity) 


Add Slot TVpe 


Type Values 

MoteColour red | green [ blue | warm white 



Sample Utterances 

these are whal people say to inis;.i i with vour skill I*tie or paste >ri all :h-j ways IhaL :iec;ile can invoke 1 'n? intenls Learn more 
Up to 3 of ibese will ba used aa Example Phrases, which at? hints to users 

ChangeColoutTntent change to (Colour) 

TurnOffIntent turn off 


Left The custom 
slot helps Alexa by 
providing a list of 
all the things you 
could say 


Click Add a New Skill>English UK and type in 'mote' for the 
name and invocation name fields. For the intent schema, 
copy/paste 'speechAsssets/intentSchema.json' and for 
sample utterances 'speechAsssets/sampleUtterances. 
txt'. You must also add a custom slot called colour with the 
values red/green/blue on separate lines. The custom slot 
helps Alexa by providing a list of all the things you could say 
to her - it's like a parameter in coding. 
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intents'; ( 

{ 

"intent": "ChangeColourlntent" 
"slota": [ 

{ 

'nonte "; 'Colour' P 
■-typ*"? ‘Mot ftCoieu c h 
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Custom Slot Types 

Custom slot types to he referenced by the Intent Schema and Sample Utterances 
rG-fjenc-ni iirfarmBtipn about custom plot?, sn' Custom Slot Types. 

Eiarnplt TQPPtNGS - chaos* | onions | h»m (motor nowiinon dlspinyari as | ter brevity) 

Type valuers 

MoteCnlour red | green | blue [ warm White 


Add SJOt Typ-C 


Edit 


Oft ^°' nt Alexa *° your HTTPS endpoint 

Under the configuration tab of your Alexa Skill, 
click service endpoint type: HTTPs. Then select your nearest 










































English (U.K.) © 


Add New Language 


Global Fields 

These fields apply to all languages supported by the skill. 


Endpoint 

Service Endpoint Type: 


AWS Lambda ARN (Amazon Resource Name) Q O HTTPS 

Recommended 

AWS Lambda is a server-less compute service that runs 
your code in response to events and automatically 
manages the underlying compute resources for you. 

More info about AWS Lambda 

How to integrate AWS Lambda with Alexa 

Pick a geographical region that is closest to your target customers: Q 


North America 
Europe 


Q Europe 


https://fde78cb3.ngrok.io 


Account Linking 


Do you allow users to create an account or 

link to an existing account with you? Yes O Ho 

Learn more 


region (this will be Europe in the UK) and paste in the ngrok 
URL from earlier. 

Now click 'My development endpoint has a certificate from 
a trusted certificate authority' on the SSL Certificate tab. 

On the Test tab you can type in sample utterances such as 
"change to blue" or "turn off" - when you click 'Ask mote' a 
message will be transmitted to your Pi from Alexa's online 
service bypassing the Echo/Dot. 


AQ Talk to your Echo 

\Jw If everything worked you will be able to 
talk to your Echo/Dot. Simply say "Alexa, ask mote 
change to red" or "Alexa, ask mote to turn off". For 
dimming the brightness level you can take inspiration 

















from Alex's Christmas Tree hack's source-code at: 
http://blog.alexellis.io/christmas-iot-tree/ 


30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 


if post_data["request"]["intent"]["name"] == "TurnOffIntent": 
response = get_response("Turning off", "OK") 

else: 

response = get_response("OK setting desired colour", "OK") 
slot_colour = post_data["request"]["intent"]["slots"]["Colour"]["value"] 
if not slot_colour in ["red", "green", "blue"]: 

response = get_response("Can only set red, green or blue", "Error") 

else: 

red = 0 
green = 0 
blue = 0 


if slot_colour == "red": 

.. 


1A Next steps 

l\# Now that you have created your first skill, maybe 
you can think of some ways to extend it or to apply it to 
other hardware projects? We think dimming the light could 
be useful and it should be easy to add other colours. If you 
want to know more about Docker, check out the boxout, 
the Dockerfile on the articles GitHub and Alex's beginner 
tutorials at: http://blog.alexellis.io/tag/raspberry-pi/ ■ 


Docker 

Docker is a 
game-changer 
for packaging, 
deploying and 
running software. 
Each time you 
build software. 
Docker creates 
an image with its 
own root filesystem 
and network 
addresses. Inside 
a Docker container 
it feels exactly 
like a full virtual 
machine, except 
faster, because a 
container is regular 
process with some 
advanced syscalls 
applied for security 
and isolation. 

The Docker CLI 
is intuitive for 
Linux users with 
commands like 
'docker ps', 'docker 
run', and 'docker 
kill'. The 'docker 
build' command 
uses a Dockerfile, 
which is similar to a 
Makefile. 

i - 










originally come from? 

I grew up playing Mario and Zelda, and 
then finally Pokemon in the late Nineties. Once a 
year or so I dust off the SNES or Gameboy Color and 
play one of the games through. This year though has 
been a busy one for retro gaming. Every few weeks 
someone is gutting an original Gameboy or DS and 
modifying it for the Pi Zero or Pi 3. Some are even 
designing their own cases. These projects have been 
intriguing, and they inspired me to build one that fits 
my needs a little better. My focus in all my projects is 
in keeping the cost low, since I prefer to spend time 
on a project rather than money. This meant finding an 
existing case for the hardware that was inexpensive, 
had a larger LCD to suit my preferences, and that 
had the right buttons to play console and handheld 
games. The ability to connect external USB devices 
was also important. After all, the Pi is a mini computer, 
and the ability to use it as one makes it that much 
more useful. A broken PSP was the perfect fit. 



Adam Seamster 

is a long time 
Raspberry Pi tinkerer, 
with a history of 
breathing new life 
into aging handheld 
consoles. All of his 
work is showcased 
over on www. 
othermod.com. 


The Pi Zero plays a big role in the development of 
the PSPi, could you tell us how easy you found it 
to work with? Was the choice of the Pi Zero purely 
down to its size? 

The Pi Zero was very easy to work with once a few 
basics were understood. This is not a device that 
gets plugged in and is ready to go. It requires time 
and effort. For this project specifically it was size that 
made the decision on the Pi version used. For projects 
in general though, it's all about cost, and this project 




probably wouldn't have happened if the Pi Zero's cost 
was $30. I've been a tinkerer since I was a child, and 
having this $5 device with endless possibilities is very 
exciting. This will not be my last project using the 
Pi Zero. 

Are you using a regular computer monitor for the 
display? 

Yep, and the bezels are actually just the bezels from 
the computer monitor as well. It just happened to look 
right so I kept that. It's just a monitor that I bought at 
a thrift store called Value Village for about four, five 
dollars, something like that. It's not the newest thing 
ever, but it works more than well enough for what 
I'm doing. 

What are they key differences between the original 
PSPi and the PSPi 2 that you launched recently? 

The original PSPi was an experiment and was done 
without any community involvement. I toiled away 
for a few hours after work every day for about two 
months before finally arriving at a playable handheld. 
Everything was very hacked together because there 
wasn't a process yet. The design was being made 



,W,THE PROJECT 
'V ESSENTIALS 

Raspberry Pi Zero 

4.3" composite LCD 
screen 

IRF7319 dual MOSFET 

LM393 voltage 
comparator 

Lithium charge 
controller and power 
board 

Audio amplifier 

Lithium batteries 

FPC connectors and 
cables 

BAT54C dual diode 


Left Adam created a 
soft power on and off 
circuit in the PSPi 2, 
to make it easier for 
gamers to turn the 
small device on or 
off quickly 





Left Each individual 
control on the PSP 
had to be soldered 
into place at the exact 
location needed to 
register a movement 
or action 


up as I went along and it shows that there was re¬ 
engineering done a few times. Although everyone 
loved the 'rat's nest' of the original, the second is 
much cleaner and organised. The second PSPi is 
almost identical in functionality, but it is more clean 
and organised. Lessons learned on the first one 
were used to make changes to the second, including 
the use of a different LCD and better quality audio 
components. One major addition to PSPi 2 is going to 
be the analog joystick, which was present in Version 1 
but not actually functional. 

Did you experience any major development 

problems throughout the project? Any specific 

areas that caused you a few headaches? 

Every part of this project has been a learning 
experience. I knew how the finished device needed 
to look and function, but had little direction on how to 
get there. Luckily there was plenty of time for research 
and planning when the project started because the Pi 
Zero was in short supply. This gave time to research 








Like it? 

If you find Adam's 
project a little 
complex, then 
you'll be able to 
find some more 
Pi-based gaming 
builds all over the 
place. If you want 
to create your own, 
you can either 
follow Adam's 
tutorials on his site, 
or search out the 
RetroPie website. 


different hardware aspects of the audio filter, GPIO 
controls, and the composite LCD interface. This didn't 
prevent issues though. It took trial and error to find an 
audio circuit with reasonable sound quality and the 
power circuit had to be designed specifically for the 
Pi. Also, the hardware is only half of any build like this, 
and the software was just as complicated. Sharing 
this information is one reason I created the otherMod. 
com website. I've created tutorials for each part of 
the project as progress is made, hopefully allowing it 
to be recreated by those with less experience or less 
time to do the extensive research. 


How easy would it be for our readers to recreate 
your PSPi 2 project? Do you have any tips for those 
willing to take it on? 

This project is difficult to recreate. It contains 
many separate circuits and components that must 
be individually connected to each other, so an 
understanding of basic electronics is helpful and some 










soldering experience is required. This is not including 
the work on the software side, which was even more 
difficult than the hardware at times. My goal with the 
PSPi was to make it as cheap as possible, leading 
to increased complexity and difficulty because of 
how custom every part of it was. The site's tutorials 
are meant to help with much of this, but this is still 
a project that many will find daunting. That being 
said, I'm working on changing it. I'm working with 
the community in designing a custom circuit board to 
interface with the Pi Zero and the PSP. The goal is to 
combine most of the custom circuits onto one board, 
and this board will require minimal soldering to the Pi 
Zero. Hopefully this will make the project available to 
many others that want a PSPi of their own. 


Further 

reading 

Adam has been 
kind enough to 
detail the whole 
build process of his 
project on his site 
(othermod.com). 
You'll also be able 
to find a plethora 
of tutorials that can 
help you get the 
basics of recreating 
your own PSPi 
project. 



What's the future of the PSPi project? Do you think 

there's a third version somewhere on the horizon? 

This is only the beginning, and Version 3 will be hitting 
the site in the near future. Version 2 was the first in¬ 
progress project to be exposed to the community, 
and others in the community 
responded with great ideas 1 
changes and additions that 
will make their way into 
the next version. I never 
expected the project to 
become as popular as it 
did, and I'll keep it going 
until we reach a point 
where anyone can make 
one for themselves. 


i 






Make a Raspberry Pi 
doomsday switch 


Keep your data safe with a handy ‘nuke’ password 
to erase your home folder in case of emergency 


«$ViTHE PROJECT 
'V ESSENTIALS 



If you're worried about the somewhat 
Orwellian notion of forced disclosure of 
passwords, this project posits a rather radical 


Suitable for 
all models of 
Raspberry Pi 


solution to the dilemma by creating a second 
password for your user account, which, instead of 
logging you in, will nuke your home folder using 
special tools. 

While this is simple to set up, do make sure to 
back up your personal data to a safe place before 
going ahead. Also bear in mind that anyone with 
physical access to your machine may seize it before 
you have a chance to flip this kill switch. 

01 Create your new user account 

Although you most likely will already have a user 
account on the Pi, create a new one for this project 
by opening Terminal on your Pi or connecting via SSH 
and running the command 


sudo adduser name 









tpi@raspberrypi > acfdus'er 'aTiee ’ 

[Adding user alice' ... 

[Adding new group alice' (1001) ... 

[Adding new user ‘alice* (1001) with group alice* ... 
•Creating home directory ‘/home/alice' ... 

• Copying files from Vetc/skel’ ... 

[Enter new UNIX password: 

'Retype new UNIX password: 

Ipasswd: password updated successfully 

'changing the user information for alice 

[Enter the new value, or press ENTER for the default 

I Full Name []: Alice Smith 

[ Room Number []: 

[ Work Phone []: 

[ Home Phone []: 

j Other []: 

[Is the information correct? [Y/n] Y 
[pi@raspberrypi > adduser alice sudo 

[Adding user "alice' to group "sudo' ... 

[Adding user alice to group sudo 
[Done. 

[pi@raspberrypi > | 


Add your new user as an Administrator with 
sudo adduser name sudo 
Substitute 'name' with your chosen username. 

02 Create your Nuke script 

You should stay logged into the 'Pi' user for now and 
run the following command: 


Above Choose 
your normal login 
password. Fill in the 
other fields or just 
press return to leave 
blank 


sudo nano /etc/security/security.sh 
In the new window, paste the following: 


#!/bin/bash 
read password 


# If the username and password match... 

if [ “$PAM_USER” = “name” ] 

&& [ 


“Spassword” = “nukepassword” ] 











then 

#Begin Nuke Process 
echo “Nuke is starting.” 

#Securely erase the home folder 
srm -rvvv /home/name/ 
echo “Home folder has been erased.” 
#Overwrite the /home folder with random 
data 

#sfill /home 

echo “Home folder has been overwritten” 

#Clean RAM memory 

#smem 

echo “RAM is clean” 

echo “User data has been nuked.” 

fi 


exit 0 


03 Modify the script 

In Line 5, substitute 'name' and 'nukepassword' for the 
username of your new account and the desired nuke 
password. Make sure this is different to your current 
one. Change 'srm -rwv /home/name/' to the path 
of your real home folder. 


"Home folder has been overwritten” 

Clean RAM memory 
smem 

chr> "RAM is clean" 

"User data has been nuked." 





DOS Format 
Mac Format 




Below Press Ctrl + X, 
then Y, then return to 
save and exit 


04 Run nuke script on login 

Make your nuke script executable with the 











command... 


sudo chmod a+x security.sh 


Next run... 


sudo nano /etc/pam.d/common-auth 


...to open the Pluggable Authentication Modules 
(PAM). Find the line starting 'auth [success=1../ and 
change this to 'auth [success=2../. Immediately 
below this line, paste the following: 


auth optional pam_exec. 

so expose_authtok log=/tmp/pam.log /etc/ 
security/security, sh 

Below Type ‘man 

05 Install secure delete tools information on how 

Run the command... securely your data is 

erased. 
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sudo apt-get install secure-delete 


.. .to install the tools necessary to erase your home 
folder securely. 


Substitute 'name' with your chosen username. 


06 Migrate your data (Optional) 

If you previously had personal data in another user 



errypi > apt-get install secure-delete 

package lists... Done 

; dependency tree 

state information... Done 

owing flEii 1 packages will be installed: 

-delete 

ed, 1 newly installed, 0 to remove and 1 not upgraded, 
get 67.9 kB of archives. 

is operation, 112 kB of additional disk space will be used 
tp://mirrordirector.raspbian.org/raspbian/ iessie/main sec 


account, you should take this chance to move data 
across from that account to another from your backup 
drive. If you wish to delete the originals, do so using 
the new secure-delete tools, for instance: 

‘srm -r /home/bob/Pictures’ 


Nuclear 

deterrent 

A nuke switch 
may appeal to 
your sense of 
melodrama but 
it's likely that if 
an unscrupulous 
person seizes 
your Pi, they will 
make a copy of 
the contents of the 
SD card before 
trying to enter the 
password. Ideally, 
you should encrypt 
your home folder 
before using this 
script. Even if it does 
work, the script 
cannot delete itself 
so it will be obvious 
to everyone that 
you have 'gone 
nuclear'. 


07 Test your new account 

Reboot your Pi and log into your new user account 
using the normal login password. Check that your 
files are where you need them. 

08 Test your nuke switch 

If your data is backed up, there's no harm checking 




your nuke password works. Reboot the Pi once 
again. Select your new username and enter the nuke 
password. The system will hang while it removes 
your files. 

09 Check nuke logs 

You can still connect to the Pi via SSH while the nuke 
script is running. Use the command... 


cat /tmp/pam.log 


.. .to check the progress of the nuke. Any further 
attempts to log in will just take the user back to the 
login screen. 


Left Use the ‘Is’ 
command inside the 
home folder to verify 
the home folder has 
been overwritten 


H * * * * * *pi@ras p*bVr iy*P*:*/P i ome‘ 

•File Edit Tabs Help 

•-V__ 

J>i@raspberr... X nate@nate... X 


emoved directory config.d ... Done 
emoved directory .vnc ... Done 
iping Desktop DIRECTORY (going recursive now) 
emoved directory Desktop ... Done 

iping .dmrc ************************************** Remo 
iping Pictures DIRECTORY (going recursive now) 
emoved directory Pictures ... Done 

iping .bashlogout ************************************ 
out ... Done 

iping Downloads DIRECTORY (going recursive now) 
iping kittens DIRECTORY (going recursive now) 
iping picl.jpg R 

Done 

emoved directory kittens ... Done 
emoved directory Downloads ... Done 

arning: Couldn't find a free filename for /home/alice/! 
Removed directory /home/alice/ ... Done 
Nome folder has been erased. 

[tome folder has been overwritten 
RAM is clean 

User data has been nuked. 
j)i<araspberrypi:/home $ Is 
fl 00000000.000 pi test 

pi@raspberrypi:/home I |_ 


- + X 



192.168.1.23 (raspberrypi) - VNC V? 


Removed file .dmrc 


Removed file .bash lo 


Removed file picl.jpg 
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Turn your Pi into a Tor proxy 

with Onion Pi 


urn your Raspberry Pi into a wireless access 
point to access the anonymous Tor network 



by f 









In this age of ubiquitous surveillance it's harder 
WW than ever to stop hackers, advertisers and 
shadowy government organisations from 
snooping on your browsing habits. 

However if you choose to connect through Tor, your 
connection is encrypted and passed through a number of 
proxies through a process known as 'onion routing'. While 
this does slow down your connection, it also increases your 
privacy, making it extremely difficult to trace your actual 
current location. 

Follow the steps in this tutorial to turn your Pi into a 
wireless AP (Access Point) named Onion_Pi. Any devices 
connecting to Onion_Pi will do so over the Tor network. 
When you're done, use a service like www.whatismyip.com 
to see that your location has changed. 

For more information about Tor visit https://www. 
torproject.org/about/overview.html.en. 


AftTHE PROJECT 
ESSENTIALS 

USB Bluetooth Low- 
Energy device 

http://bit.ly/lMtDbJC 

Android/iOS device 

Android/iOS beacon 
app 

BlueZ 


01 Connect to Pi and check wireless is 
detected 

Attach your Pi to your router via the Ethernet cable, 
then either open Terminal on the Pi or connect to it via 
SSH. Run the command sudo ifconfig -a. You should 
see the text wlanO which shows that the wireless 
module is up and running. 


TX packets:4077 errors:0 dropped :CT overruns :0 carrier :0 
collisions:© txqueuelen:1000 

RX bytes:4733743 (4.5 MiB) TX bytes:1430164 (1.3 MiB) 

lo Link encap:Local Loopback 

inet addr:127.0.0.1 Mask:255.0.0.0 

inetG addr: ::1/123 Scope:Host 

UP LOOPBACK RUNNING MTU:65536 Metric:1 

RX packets:470 errors:© dropped:© overruns:© frame:© 

TX packets:47© errors:© dropped:© overruns:© carrier:© 
collisions:© txqueuelen:! 

RX bytes:59771 (53.3 KiB) TX bytes:59771 (58.3 KiB) 

wlan© Link encap:Ethernet HWaddr b8:27:eb:59:de :10 

met addr:192.163.42.1 Beast:192.168.42.255 Mask:255.255.255.0 


Left Check for 
‘wlanO’. Don’t worry 
if your IP address 
is different. We’Ll 
change it Later 




^Conf^jufing^^tabTes^ei^i^eiv^^ 


Current iptables rules can be saved to the configuration file 
/etc/iptables/rules.v4. These rules will then be loaded automatically 
during system startup. 

Rules are only saved automatically during package installation. See the 
manual page of iptables-save(8) for instructions on keeping the rules 
file up-to-date. 


Save current IPv4 rules? 


<No> 


02 Install essential software 

Run the command sudo apt-get update then sudo 
apt-get install hostapd isc-dhcp-server tor iptables- 
persistentto install the necessary software. When 
you install iptables-persistent you'll be asked if you 
want to save the rules for your current configuration. 
Select 'Yes' both times. 

03 Configure the 
DHCP server 

Run sudo nano /etc/ 
dhcp/dhcpd.conf. Find 
the two lines beginning 
'option domain-name' 
and put a '#' at the start 

of each. Remove the '#' from the line '#authoritative'. 
Scroll to the end and type: 


File: /etc/dhcp/dhcpd.conf 


f range 10.17.224.10 10.17.224.250; 

} 

pool { 

deny members of "foo"; 
range 10.0.29.10 10.0.29.230; 

} 

n 

subnet 192.168.42.0 netmask 255.255.255.0 { 
range 192.168.42.10 192.168.42.50; 
option broadcast-address 192.168.42.255; 
option routers 192.168.42.1; 
default-lease-time 600; 
max-lease-time 7200; 
option domain-name "local"; 
option domain-name-servers 8.8.8.8, 8.8.4.4; 


Igg Get Help B[] WriteOut BTJ Read File Prev Page 

(S3 Exit m Justify B! Where Is Next Paqe 


S CulJ 
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subnet 192.168.42.0 netmask 255.255.255.0 

{ 

range 192.168.42.10 192.168.42.50; 
option broadcast-address 192.168.42.255; 
option routers 192.168.42.1; 
default-lease-time 600; 
max-lease-time 7200; 
option domain-name “local”; 


Left Iptables- 
persistent will ask 
if you want to save 
changes. Press 
Return twice to agree 


How does 
Tor keep you 
safe? 

The Tor network is 
a group of servers 
or 'relays' operated 
by volunteers. When 
you start tor on the 
Pi, it will build a 
circuit of encrypted 
connections 
through relays on 
the network. Each 
relay only knows 
the last relay a 
data packet came 
from and where it's 
going, meaning it's 
extremely difficult 
to trace the data 
back to you. Tor also 
changes the circuits 
it uses every few 
minutes to make it 
even harder to find 
your machine. 















option domain-name-servers 8.8.8.8, 
8.8.4.4; 

} 


04 Edit interfaces 

Run sudo nano /etc/default/isc-dhcp-server. Scroll 
down to the word INTERFACES="" and insert 'wlanO'. 
Press Ctrl + X, Y, then return to save and close. 

Run the commands sudo update-rc.d hostapd 
enable and sudo update-rc.d isc-dhcp-server 
enable to make sure your changes start on boot. 



to S 

ions 


AboveMake sure that 
“wlanO” is inside the 

05 Set Static IP speech marks 

Run sudo nano /etc/network/interfaces. If you see 

the text 'auto wlanO' add a '#' at the start to comment 
it out. Find the line allow-hotplug wlanO and delete 
the two lines below it. Replace them with these three 







lines: 


iface wlan0 inet static 

address 192.168.42.1 



netmask 255.255.255.0 



Run sudo ifconfig wlan0192.168.42.1 to set your IP. 



File: /etc/hostapd/hostapd.conf 


GNU nano 2.2.6 


I interface=wlan0 
^driver=nl80211 
ssid=0nion_Pi 
tountry_code=US 
tiwjrode=g 
>channel=6 
inacaddr _acl=0 
>auth_algs=l 

^ignore broadcast ssid=0 
j.vpa=2 

wpa pa5sphrase=Raspberry 
wpa_key _itigmt=WPA - PSK 
wpa pairwise=CCMP 
Wpa group rekey=86400 
*ieee80211n=l 
•Wme enabled=l 
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! Exit 
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Left If you’re using 
a Raspberry Pi 3, 
comment out the 
‘driver’ Line 


06 Configure the Access Point 

Run sudo nano /etc/hostapd/hostapd.conf to 

create a blank file. Paste in the following: 


interface=wlan0 

driver=nl80211 

ssid=Onion_Pi 

country_code=US 

hw_mode=g 

channel=6 

macaddr_acl=0 



A»/bio/sh 


BEGIN INIT INFO 


* Provides:: 

hostapd 

4 Required - Start: 

5remote fs 

± Required-Stop: 

Sremote fs 

M Should-Start': 

$network 

£ Should-Stop: 


# Default-Start: 

2 3 4 5 

Jf Default-Stop: 

0 1 6 

* Short-Descriptior : 

Advanced IEEE @02.11 itanagement daemor 

- Description: 

Userspace IEEE B02.ll AP and IEEE B02.1X/WPA W| 

# 

Authenticator 

### END INIT INFO 


" 

PATH=/sbin:/bin:/usr/sbin:/usr/bin 

! DAEMON SBIN=/us r/sbin/hostapd 

•DAEMON DEFS=/etc/default/hostapd 

DAEMON CONF=/etc/hostapd/hostapd.conf| 

.1 ' ■' ' ■" " 

II 
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|Q Exit Q Justify 
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auth_algs=l 

ignore_broadcast_ssid=0 

wpa=2 

wpa_passphrase=Raspberry 

wpa_key_mgmt=WPA-PSK 

wpa_pairwise=CCMP 

wpa_group_rekey=86400 

ieee80211n=l 

wme_enabled=l 

Feel free to change the passphrase from 'Raspberry 7 
to something more complex. 

07 Apply Access Point configuration 

Run sudo nano /etc/default/hostapd. Find the line: 


Above Make sure you 
modify DAEMON- 
CONE-’” in both init.d 
and hostapd.conf 


#DAEM0N C0NF=”” 





Edit it so it says: 


DAEMON_CONF=”/etc/hostapd/hostapd.conf” 


Don't forget to remove the # in front to activate it, or 
the line won't work. 

Repeat these same steps for hostapd with the 
command sudo nano /etc/init.d/hostapd again 
modifying the line #DAEMON__CONF="" so that it 
reads 

DAEMON_CONF="/etc/hostapd/hostapd.conf" 

08 Configure Tor 

Run sudo nano /etc/tor/torrc to configure Tor Find 
## https://www.torproject.Org/docs/faq#torrc and 

after it paste: 

Log notice file /var/log/tor/notices.log 
VirtualAddrNetwork 10.192.0.0/10 
AutomapHostsSuffixes .onion,.exit 
AutomapHostsOnResolve 1 
Transport 9040 

TransListenAddress 192.168.42.1 
DNSPort 53 

DNSListenAddress 192.168.42.1 


Save and exit. Run sudo update-rc.d tor enable to 

make Tor start on boot. 

09 Configure IP Tables 

Run these commands to channel all traffic through 
Tor: 


Tor best 
practices 

Don't use bit torrent: 
this places an 
unfair burden on 
volunteers running 
Tor relays. Bit torrent 
software also often 
sends out your real 
IP address. 

Use HTTPS versions 
of websites: this 
encrypts your 
connection between 
your Tor exit node 
and your target 
websrtee.g https:// 
gmail.com 
Don't use browser 
plugins: this makes 
it easy to fingerprint 
your browser. 

Don't open online 
documents: PDF and 
.doc files can contain 
code that might 
give away your real 
location. 



sudo iptables -t nat -A PREROUTING -i 
wlan0 -p tcp —dport 22 -j REDIRECT —to- 
ports 22 

sudo iptables -t nat -A PREROUTING -i 
wlanO -p udp —dport 53 -j REDIRECT —to- 
ports 53 

sudo iptables -t nat -A PREROUTING -i 
wlanO -p tcp —syn -j REDIRECT —to-ports 
9040 


Next, make your changes permanent: 


sudo sh -c “iptables-save > /etc/ 
iptables/rules.v4” 

Reboot your Pi when done. 


Below Use the 
command sudo 
iptables -t nat -L 
when you’re done 
to check your 
configuration 


GNU nano 2.2.6 


#! / bin/sh 


= 


BEGIN INIT INFO 

# Provides: 

Required-Start: 
Required-Stop: 
Should-Start: 
Should-Stop: 
Default-Start: 
Default-Stop: 

* Short-Description 
£ Description: 


* 

'■ 

# 


### END INIT INFO 


File: /etc/init.d/hostapd 


hostapd 
sremote fs 
Sremote fs 
^network 


2 3 4 5 
0 16 

Advanced IEEE 802.11 management daemon 

Userspace IEEE B02.ll AP and IEEE 802.1X/WPA/W! 

Authenticator 


PATH=/sbin:/bin:/usr/sbin:/usr/bin 
DAEMON SBIN=/usr/sbin/hostapd 
DAEMON DEFS=/etc/default/hostapd 
DAEMON CONF=/etc/hostapd/hostapd.conf| 
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$ 


Encrypt your Raspberry 
Pi home folder 


Easily keep your data safe with military-grade encryption on 

your Pi 



1 lock | 


Cut Text 3* Cur Pern 
UnCut Textffl To Spell 
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file 


pt (©raspberry pi 


puffiraspberrypi;- 


$ T1 | o *|l1:32 * 


rHtS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR OATA,| 

-rc<n the graphical desktop „ click on; 

"Access Your Private Data" 


From the command line, run: 
ec r ypt f s-mount-private 


99 Get Help 23 ''Titeaut EQ Read File QQ Prav Page CB 
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(WiTHE PROJECT 
'S* ESSENTIALS 

This tutorial is 
compatible with 
all models of Pi 
running Raspbian 
Jessie 


With the advent of the dazzling Pixel desktop 
on the Pi, with its glitzy icons and crisp 
windows, some readers may be considering 
using a Pi as their home computer. This however is 
not especially secure given that the Pi automatically 
logs in the default user without requiring a password 
Even if the password is required, anyone can mount 
the SD card to view your documents, pictures, videos 
and other data. 






















• ▼ 

raspberrypi- VNC Viewer 

- X • 

:(|)@QS*© Dpi 


t tl ^») 6 * H:58 ±1 


File Edit View Bookmarks Go Tools Help 
i PO <^o v ^ [5| /home/pi 

Directory Tree 
- □ media 
+ CUbob 

+ Dmnt 
+ Dopt 
±) □ proc 


o [B \*_\ ® ® 

Desktop Documents Downloads Music Pictures 




01 Back up your data 

If you have not done so already, log onto your Pi and 
transfer the contents of your Desktop, Documents, 
Pictures etc onto an external medium like a USB stick. 
This will make transferring your data to your encrypted 
home folder much easier. Use Ctrl+H to show hidden 
folders if you want to back up your application settings 
such as your browser bookmarks. 

02 Enable login screen 

If you have not already done so, open Terminal on 
your Pi or connect via SSH and run the command: 


sudo nano /etc/lightdm/lightdm.conf 













































to open your login options. Scroll down to the line 
autologin-user=pi and put a hash (#) at the start to 
comment it out. Press Ctrl+X, then Y, and then Return 
to save and exit. Remember the default password is 
'raspberry'. 

03 Reboot Pi and log in 

Reboot the Raspberry Pi and log in via the login 
screen. The username pi should already be selected 
and the password should be 'raspberry'. Moving 
forward we recommend that you work on the Pi's 
desktop directly as you will need to switch between 
users, which is difficult over SSH. If you do not have a 
monitor for your Pi, try connecting via VNC as the 'pi' 
user. 



04 Install eCryptfs and related files 

Open Terminal on the Pi and run the command: 


sudo apt-get install ecryptfs-utils lsof 
cryptsetup 

You will need to press Y to confirm that you do indeed 
















fish /root 


File Edit Tabs Help 


root@raspberrypi:fish 

Welcome to fish, the friendly interactive shell 
Type I- Ii for instructions on how to use fish 

root@raspberrypi # install ecryptfs-utils lsof cryptsetup| 


want to install the software. This will allow you to 
encrypt the home directory and access it each time 
you log in. 


05 Create new user 

If you are serious about wanting to use the Pi, you 
most probably will want an account in your own 
name in any case. Use the command: 


sudo adduser (username) 


e.g sudo adduser bob to create your account. Type 
your password twice, then press Return to accept 
default values for the other options such as location. 



sudo /home/pi _ □ x 

File Edit Tabs Help 


1 sudo /home... 

pi(5)raspberr... x 


pi@raspberrypi: - I fish 

Welcome to fish, the friendly interactive shell 
Type help for instructions on how to use fish 
pi@raspberrypi -> do adduser bob 
Adding user 'bob' ... 

Adding new group bob' (1001) ... 

Adding new user bob' (1001) with group bob’ ... 
Creating home directory '/home/bob' ... 

Copying files from /etc/skel’ ... 

Enter new UNIX password: 

Retype new UNIX password: 
passwd: password updated successfully 
Changing the user information for bob 
Enter the new value, or press ENTER for the default 
Full Name []: Bob Jones 
Room Number []: 

Work Phone []: 

Home Phone (]: 

Other []: 

Is the information correct? [Y/n] Y| 


















sudo /home/pi 

_ n x 

File Edit Tabs Help 


sudo /home... 

pi@raspberr... x 

_ 


Type help for instructions on how to use fish 
pi@raspberrypi ~> sudo adduser bob 
Adding user "bob’ ... 

Adding new group "bob’ (1001) ... 

Adding new user bob’ (1001) with group "bob’ ... 

Creating home directory '/home/bob' ... 

Copying files from /etc/skel’ ... 

Enter new UNIX password: 

Retype new UNIX password: 
passwd: password updated successfully 
Changing the user information for bob 
Enter the new value, or press ENTER for the default 
Full Name []: Bob Jones 
Room Number []: 

Work Phone []: 

Home Phone []: 

Other []: 

Is the information correct? [Y/n] Y 
pi@raspberrypi > o ecryptfs-migrate-home -u bob 

INFO: Checking disk space, this may take a few moments. Please be patient. 
INFO: Checking for open files in /home/bob 

lsof: WARNING: can’t stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs 
Output information may be incomplete. 

Enter your login passphrase [bob]: I 


06 Encrypt new user's home directory 

The eCryptfs software comes with a handy built-in 
utility to encrypt existing home folders. Simply run 
the command: 

sudo ecryptfs-migrate-home -u bob 

where 'bob' is your new username. You'll be asked to 
enter a login passphrase twice (this can be the same 
as the password you just created). Make sure to read 
the Important Notes section once this is done. Do not 
reboot at this stage. 



sudo /home/pi 


File Edit Tabs Help 

pi@raspberr... 


sudo /home... x 


Type help for instructions on how to use fish 
pi@raspberrypi -> sudo adduser bob 
Adding user "bob’ ... 

Adding new group "bob’ (1001) ... 

Adding new user bob’ (1001) with group bob’ ... 

Creating home directory '/home/bob' ... 

Copying files from /etc/skel’ ... 

Enter new UNIX password: 

Retype new UNIX password: 
passwd: password updated successfully 
Changing the user information for bob 
Enter the new value, or press ENTER for the default 
Full Name []: Bob Jones 
Room Number []: 

Work Phone []: 

Home Phone []: 

Other []: 

Is the information correct? [Y/n] Y 
pi@raspberrypi > . ecryptfs-migrate-home -u bob 

INFO: Checking disk space, this may take a few moments. Please be patient 
INFO: Checking for open files in /home/bob 

lsof: WARNING: can’t stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs 
Output information may be incomplete. 

Enter your login passphrase [bob]: | 


07 Log into new encrypted user account 



























Use Menu>Shutdown>Logout to log out of the Pi user. 
In the dropdown menu select your new username 
e.g 'bob' and log in. Before bringing any data into 
this new account, open Terminal and simply type 
the command mount. This will show a flurry of 
information; you should see a reference to 'ecryptfs', 
which shows the encryption has been successful. 



Bob Jones 

▼ 





08 Back up your passphrase 

If you're unable to log in because of a system problem 
or you want to move your data to a new computer, 
by default your files won't be accessible. Fortunately 



























there's an eCryptfs utility that can generate your 
mount passphrase, which can be used to access your 
files from another device. Open Terminal and run 
the command 


ecryptfs-unwrap-passphrase 


to view the passphrase and write it down. Store the 
passphrase in a safe place. 


09 Migrate your data 

Use Menu>Shutdown>Reboot to restart your Pi and 
then log back in as the new user. At this stage you 
should connect your external drive and begin copying 
your documents and data back to the right places. 
You'll see that a new home folder has been created in 
/home, e.g /home/bob. No other users on the Pi will 
be able to access the files inside your home folder. 



*© □ 


Pictures 


File Edit View Bookmarks Go Tools Help 
^ [ST] /home/bob/Pictures 

Directory Tree 
Ebob 
■ S Desktop 
+ E Documents 
+ E Downloads 
+ S Music 
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Pictures 


_ n x 
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10 Give your new user admin privileges 

Log out of your new user for now and back into 'pi'. 
Open Terminal and run the command: 





























sudo visudo 

Scroll down to the line reading root ALL=(ALL:ALL) 
ALL and on a new line immediately after this add: 


bob ALL=(ALL:ALL) ALL 


where 'bob' is your new username. Press Ctrl+X, Y, 
then Return to save and exit. Restart the Pi again to 
effect your changes. 



I GNU nano 2,2.6 


Modified I 


File: /etc/5udoers<tmp 


Defaults secure_path="/usr/local/5bin:/usr/lota1/bin:/U5r/sbin:/usr/bin:| 

# Host alias specification 

# User alias specification 

# Grand alias specification 

■0 User privilege specification 

Iroot ALL-CALL:ALL) ALL r 

: bob ALL-CALL:ALL) ALL| L 

# Allow members of group sudo to execute any command 
‘ : %sudo ALL-CALL :ALL) ALL 

# See sudoerstS) for more information on '^include 11 directives: 

#includedir /etc/sudoers.d 
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11 Remove backup home folder 

When encrypting your new home directory, the 
eCryptfs software places a backup in the home 
folder in case anything goes wrong. As this was a 
new account, the folder is empty, but to keep things 
simple, open Terminal and run the command : 

Is /home 


to find out its exact name, e.g bob.zyxxc, then run the 


• 

• 

File Edit Tabs Help 

• 

bob@raspberrypi:~ $ fish 


• 

Welcome to fish, the friendly interactive shell 



Type help for instructions on how to use fish 



bob@raspberrypi ~> Is /home 



bob/ bob.ztBKao5h/ pi/ 



bob@raspberrypi ~> sudo rm -r f bob.ztBKao5h| 

• • 



Choosing 
a good 
password 

Even if your home 
folder is encrypted it 
can be brute-forced 
by another computer 
trying various 
passwords until it 
hits on yours. Visit the 
website https:// 
howsecureismy 
password.net/ to see 
how long it would 
take to crack your 
own password. If 
the result is anything 
less than a century or 
so, consider using a 
stronger password. 
The DiceWare 
website (http://world. 
std.com/~reinhold/ 
diceware.html) 
provides a quick 
and easy way to 
generate strong and 
easy to remember 
passwords through 
randomly selecting 
several dictionary 
words. 














command: 


sudo rm -r -f <directoryname> 


to remove it. 

12 Delete data in Pi home folder 

If you had personal data already in the existing 'pi' 
folder, it is still unencrypted and can be accessed by 
anyone who can obtain your Pi's MicroSD card. Log 
onto the 'pi' user and use the shred command to 
securely delete any files you want e.g 

shred -zu bank-statement.pdf 



# User privilege specification 

root ALL=(ALL:ALL) ALL 

bob ALL=(ALL:ALL) ALL| 

# Allow members of group sudo to execute any command 
%sudo ALL=(ALL:ALL) ALL 


See sudoers(5) for more information on "#include" directives 


includedir /etc/sudoers.d 
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pi(5)raspberrypi: ~ 


Defaults 


secure_path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$ 


Host alias specification 


User alias specification 









You can use 


sudo rm -r -f <directoryname> 


to erase entire folders but do not do this with any of 
the main folders in your 'pi' home folder e.g Desktop. 


13 Disable swap space 

There is a portion of the Pi's SD card (located in /var/ 
swap) that is used in a way similar to RAM when the 
Pi is low on resources. For more modern Pi models 
this is very rarely used and can present a security risk 
as your data may be written there unencrypted. Log in 
to your new user account, open Terminal and run: 


1 ^ © 



File Edit Tabs Help 


bob@raspberrypi: -• $ sudo swapoff -a -v 
[sudo] password for bob: 
swapoff /dev/mapper/cryptswapl 

bob@raspberrypi: - $ | Y 

























Fite Edit Tabs Help 


sudo swapoff -a -v 

You should see a confirmation that it has been 
disabled. 



pi(5)raspberrypi: 


File Edit Tabs Help 


pi@raspberrypi:~ $ su 

Password: 

root@raspberrypi:/home/pi# cd /home/bob 
root@raspberrypi:/home/bob# Is 
Access-Your-Private-Data.desktop README.txt 
root@raspberrypi:/home/bob# 
















14 Fix permissions errors 

Depending on the method you used to back up 
and transfer your data from your previous account, 
there may be permissions issues with certain files 
and folders (Usually you will see a padlock on files 
you're unable to edit). You can make sure your new 
account is the owner of all files within folders with the 
command: 


sudo chmod 0750 -R foldername 


e.g sudo chmod 0750 -R /home/bob/Pictures, where 
'bob' is your new username. 

15 Double check your files are safe 

This step is optional. Reboot the Pi and log into the 'pi' 
user. Open Terminal and if you have not previously 
done so, enter 
the command: 


sudo passwd root 


to set a password for the root user. Next enter the 
command su to switch into root. Run: 


cd /home/bob 


(where 'bob' is your new username) and then use 
Is to show the contents of the directory. There's now 
only a shortcut and a 'ReadME' file saying your data is 
protected. 
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Monitor servers with 

a Raspberry Pj 


Raspberry Pis are a great platform for any kind of 
monitoring project. This issue, learn how you can keep an eye 

on your servers with a Raspberry Pi 


^5^3* Even with a small footprint. Raspberry Pis 
can still provide a powerful set of computing 
^5^ resources. This is the perfect combination for 
projects that are meant to monitor something. 
We will look at how to code up a system to be able to 
keep an eye on an important server that you need 
information about. There are several ways to do this. 
Since we have limited space here, don't forget to check 
out other options in case something else might work 
better in your situation. As with other articles in this 
series, we will be using Python to write the code that 
handles monitoring the external server. 

A properly hardened server should only allow 
encrypted connections over SSH from outside machines. 
There are several options available for modules that 
you could install. A pure Python module that is fairly 
complete is Paramiko. This is the package that we will 
use for this article. Install it on your Pi with the command: 


sudo apt-get install python3-paramiko 
If you are using Python 2.X, you can change the 






module name to be 'python-paramiko'. This command 
also installs the Python modules that support 
cryptographic operations. Once you have the module 
installed, you can get your code prepared with the 
following code: 

import paramiko 
client = paramiko.SSHClient() 
client. load_system_host_keys() 
client. connect(‘192.168.0.10’, username=’pi’, 
password=’raspberry’) 


On some occasions you may find that this piece of 
code may or may not work. It all depends on whether 
you have already connected to the external server 
with SSH before. If you have, then an identifier named 
the host key should have been saved in the file ~/.ssh/ 
known_hosts. If so, then it should be in the set of keys 
imported by the load keys method. If you have never 
made an SSH connection to the server in question, then 
it will not be in the known hosts file and you will get an 
exception. You set a callback function to deal with this 
situation manually. If you are only going to be connecting 
to known machines, there is a shortcut you can use 
instead. Paramiko includes a helper method that will 
automatically add new hosts to the known hosts list for 
you. You can turn this functionality on with the following 
line of code: 



client.set_missing_ 

host_key_ 

policy(paramiko.AutoAddPolicy()) 





You need to add this line somewhere before you try 
and make your first connection. If you want to minimise 
the chances of security issues, Paramiko gives you 
helper methods to manage the host key file. This code 
accepts a host key and then saves it off to the standard 

host_key_ 

username=’pi’, 

password=’raspberry’) 

client. save_host_keys(7home/pi/.ssh/known_ 
hosts’) 

You can reload this host key file in regular usage with 
the following code segment: 


file: 

client.set_missing_ 
policy(paramiko.AutoAddPolicyO) 
client.connect(‘192.168.0.10’, 


client. load_host_keys(‘/home/pi/.ssh/known_ 
hosts’) 

client. connect(‘192.168.0.10’, username=’pi’, 
password=’raspberry’) 

So, now we have an open SSH connection to the 
server you wish to monitor. What can you do with this? 
Since you want to monitor the health of the remote 
machine, you need to execute commands on this remote 
machine and get the results back to analyse and/or 
display them. The simplest way to do this is the exec_ 
command!) method. This code snippet shows how you 
can get the current uptime of the server: 

stdin, stdout, stderr = client.exec_ 

command(‘uptime’) 









curr_uptime = stdout.readlines() 
print(curr_uptime) 

The output you get will look like this: 


[‘ 21:55:43 up 13 days, 22:34, 0 users, 

load average: 0.00, 0.00, 0.00\n’] 


In the original code snippet, the method exec_ 
command!) returns a tuple of values for the standard 
input stream (stdin), the standard output stream (stdout) 
and the standard error stream (stderr). When you call 
this method, a new Channel is opened and the three 
standard 10 streams are attached. You can then read 
output from the executed command from the stdout 
and stderr streams. The three streams behave much 
like standard Python file objects. This means when you 
use the readlinesO method, you will not be able to go 
back and reread that data. This means that you should 
always save off this incoming data to a variable. 

This works for simple commands, but what if you 
need a more complicated command that requires your 
interaction? An example is any command that requires 
sudo access to run. Your user account would need to 
have sudo permissions, and then you'd need to be able 
to type in your password when asked. Luckily, you have 
the stdin stream from the exec_command() method that 
lets you send in the required input. This code shows how 
to get the output from the dmesg command: 


“A pure Python 
module that is 
fairly complete 
is Paramiko” 


stdin, stdout, stderr = client.exec 

command (‘sudo dmesg", get_pty=True) 





stdin.write(‘raspberry\n’) 

stdin.flushO 

dmesg_data = stdout.readO.splitlinesO 
With the exec_command() method, we introduced 
a new parameter named get_pty. By default, this 
parameter is False, but you may need to set it to True 
for some remote machines. The write!) method for the 
stdin stream takes your password, to be handed in 
to the sudo process. You need to include the newline 
character at the end of your password to represent you 
hitting the Enter key on the keyboard. Once this has 
been executed, you need to call the flush!) method to 
make sure that this data is pushed to through the SSH 
connection to the remote machine. You can then read 
the returned results from the dmesg command. In the 
above example, we just used the read!) method, and 
then used the splitlines!) method to end up with a list of 
the returned lines. If you have something specific you are 
looking for, you can loop through the returned lines. For 
example, the following code looks for all of the lines that 
are messages from the systemd process. 


for line in dmesg_data: 


if line.splitC 

:')[0] == 'systemd': 

print(line) 



This can work for any system software that might be 
running on your monitored server. 

The last thing you might want to be able to do 
with the server is to move files on and off the remote 
machine. It might be that you need to pull log files off 
the system for further analysis. The beginning of working 


with files is exactly the same as above, up to the point 
that you have a valid client object ready that has opened 
a connection to the remote machine. The following code 
shows how to get a log file off of the server. 


sftp = client. open_sftp() 


sftp.get(‘localcopy.log’, 'serverside.log') 

sftp.closeQ 



Why Python? 

It's the official 
language of the 
Raspberry Pi. 

Read the docs at 

python.org/doc 


This code opens an SFTP connection to the server 
and calls the get method. This gets the remote file, 
named serverside.log, and saves it to the local file 
localcopy.log in the current working directory on your 
local Raspberry Pi. Once you have finished with all of 
your file 10, you need to use the dosed method to clean 
up the connection details. 

Putting this together, the following code shows how 
you can check the load average on the server and print 
out a warning if it gets higher than a certain value. 

import paramiko 

client = paramiko.SSHClientQ 



client.set_m 

i s s i n g _ 

host_key_ 

policy(paramiko.AutoAddPolicyO) 



client. connect(‘192.168.0.10', 

username='pi', 

password^'raspberry') 



stdin,stdout,stderr = 

client.exec_ 


command(‘cat /proc/loadavg’) 
datal = stdout.readlinesO 
data2 = datal[0].split() 
if float(data2[0]) >= 5.0: 
print(‘HELP! TOO MUCH WORK!’) 





client. closeQ 


This will scream at the user, in all caps, when the 
one-minute load on the remote machine gets to at least 
5.0. 

For very secure systems, you may not be allowed to 
connect using a username and password combination. 
If this is the case, you will need to use an SSH key to 
authenticate yourself with the remote machine. If you 
have the keys already set up correctly within the directory 
~/.ssh, you can simply call the connection!) method with 
no password. Paramiko will search in the standard 
places for the relevant key files. If you just have a file 
containing the relevant key information, you can hand 
this into the connection!) method. This example shows 
how to use the key file that you placed in the current 
working directory. 


client. connect(‘192.168.0.10’, username=’pi’, 
key_f i lename=’my key. pub’) 


This should allow you to follow whatever security 
measures are in place when trying to monitor your 
remote server. 

Now that we have figured out how to create a server 
monitor, there should be no excuse for that mission- 
critical hardware getting into trouble. You should have 
all of the up-to-date information you need to be able to 
manage that system successfully. 






Join the conversation at.. 



¥ @linuxusermag m[j\ Linux User & Developer l[@] linuxuser@futurenet.com 



The Raspberry Pi encourages 
a lot of hands-on work and 
♦ this means it doesn't quite 
work like - or as easily as - your laser 
focus-tested smartphone interface, 
or even a normal computer. So we're 
answering your burning Raspberry Pi 
questions each issue - get in touch with 
us on Twitter, Facebook or by email. 
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How can I take 
screenshots 
when I’m in 
the desktop 
environment 
Sh@neTX, 
Rotherham, via 
email 


You've not told us which distro 
you're using but that doesn't 
really matter as there's a neat 
little trick that you can employ 
whatever... Simply execute 
"sudo apt-get install scrot" to 
install Scrot. Scrot is an ultra- 
minimal command line screen 
capturing application and after 
it's installed you'll be able create 
and save screenshots of your desktop to 
the working directory. Scrot will even alllow 
you to invoke a third-party utility to edit and 
manipulate the resulting image. It's a highly 
configurable little app, execute "scrot-h" and 
take a look at all the options that are open 
to you. 


Keep up with the 
latest Raspberry Pi 
news by following 
(DLinuxUserMag on 
Twitter. Search for the 
hashtag #RasPiMag 


JUSTA 

SCORE 

WHAT’S YOUR JUSTA SCORE ? 

Have you heard of 
Just A Score? It’s 
a new, completely 
free app that gives 
you all the latest 
review scores. You 
can score anything 
in the world, like and 
share scores, follow 
scorers for your 
favourite topics and 
much more. And it’s 
really good fun! 
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My Raspberry 
Pi sometimes 
shuts down or 
restarts soon 
after booting up. 
DanGreggs76 
via email 


If you're getting a flicker from 
the OK LED before the Raspi fails 
to start, first check the power 
supply and SD card as low 
voltage or a corrupt card can 
cause this. Make sure the SD 
Card is making contact with the 
Raspi as solder residue may 
have fallen onto the contacts or into the 
cavity. Clean the contacts and check that 
they protrude at least 2mm from the lower 
edge of the holder. If not undip them by 
inserting a needle under the contact and 
pulling up gently. Clean the cavity and redip. 


Can I run Kodi on 
my Raspberry 
Pi, and will it be 
different from 
the version 


running on my 
other devices? 

Brian via email 



Kodi is a brilliant media player 
and it's absolutely possible to 
run it on the Raspberry Pi. At 
the time of going to press, the 
current stable version of Kodi 
for the Pi is Leia, although it's 
worth noting that you need 
the version of Kodi designed 
for the Raspberry Pi - other 
versions will not run on your 
Pi. You shouldn't notice any real difference, 
apart from the fact that it's better not to run 
Blu-Ray-quality video as it can slow down 
performance. Some people recommend 
disabling omxplayer acceleration to improve 
performance too. 



JUSTA 

SCORE 

WHAT’S YOUR JUSTA SCORE ? 

You can score 
absolutely anything on 
Just A Score. We love 
to keep an eye on free/ 
libre software to see 
what you think is worth 
downloading... 
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Cinnamon Desktop 




Anaconda installer 



FOSS That Hasn't Been Maintained 
In Years 
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Next issue 

9 Get inspired 9 Expert advice 9 Easy-to-follow guides 


Make a Pi-powered 
virtual reality setup 



Get this issue’s source code at: 

www.linuxuser.co.uk/raspicode 



